Add some options. renewal scripts.

2022-01-19 18:42:25 +01:00 · 2022-01-19 18:42:25 +01:00 · 2b61560c77
parent 7567958bec
commit 2b61560c77
7 changed files with 140 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -17,3 +17,6 @@ easy_rsa_req_country: 'IT'
 easy_rsa_req_province: 'Province'
 easy_rsa_req_city: 'City'
 easy_rsa_req_org: 'Organization'
+easy_rsa_add_crl_url: False
+easy_rsa_crl_url: http://localhost/crl/crl.pem
+easy_rsa_critical_ca_false: True
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -44,6 +44,27 @@
    with_items: '{{ easy_rsa_helper_scripts }}'
    tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_helper_scripts' ]

+  - name: Fix the CA:False constraint
+    lineinfile:
+      path: '{{ easy_rsa_base_dir }}/x509-types/{{ item  }}'
+      regexp: '^basicConstraints\ =\ CA:FALSE'
+      line: 'basicConstraints = critical,CA:FALSE'
+    loop:
+      - client
+      - code-signing
+      - email
+      - kdc
+      - server
+      - serverClient
+    when: easy_rsa_critical_ca_false
+
+  - name: Add a CRL distribution URI
+    lineinfile:
+      path: '{{ easy_rsa_base_dir }}/x509-types/COMMON'
+      regexp: '^crlDistributionPoints.*'
+      line: 'crlDistributionPoints = URI:{{ easy_rsa_crl_url }}'
+    when: easy_rsa_add_crl_url
+
  - name: Check if the CA has been initialized yet
    stat: path={{ easy_rsa_pki_basedir }}/pki/private/ca.key
    register: easy_rsa_ca_key_file
--- a/templates/renew-client-host-certificate.sh.j2
+++ b/templates/renew-client-host-certificate.sh.j2
@ -0,0 +1,34 @@
+#!/bin/bash
+
+host_arg=
+if [ $# -ne 1 ] ; then
+    echo "You need to pass just one argument: the full hostname for wich the certificate is required"
+    exit 1
+else
+    host_arg="$1"
+fi
+
+easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
+easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
+easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
+easy_vars_file="${easy_rsa_base_dir}/vars"
+if [ -f "${easy_vars_file}.tmpl" ] ; then
+    echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
+    exit 1
+fi
+
+echo ""
+echo "Starting the renewal of a client host certificate."
+echo ""
+
+cd "$easy_rsa_base_dir"
+./easyrsa renew "$host_arg" nopass
+
+echo ""
+echo "Done."
+echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
+echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
+echo ""
+echo "Remember that the key of the host certificates do not passphrase protected"
+
+exit 0
--- a/templates/renew-personal-certificate.sh.j2
+++ b/templates/renew-personal-certificate.sh.j2
@ -0,0 +1,41 @@
+#!/bin/bash
+
+name_arg=
+email_arg=
+if [ $# -ne 2 ] ; then
+    echo "You need to pass exactly two parameters in the following order: the full name, between double quotes, and the email address"
+    exit 1
+else
+    name_arg="$1"
+    email_arg="$2"
+fi
+
+easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
+easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
+easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
+easy_vars_file="${easy_rsa_base_dir}/vars"
+if [ -f "${easy_vars_file}.tmpl" ] ; then
+    echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
+    exit 1
+fi
+
+echo ""
+echo "Starting the renewal of a client host certificate."
+echo "Remember that you need to supply a passphrase for the private key."
+echo ""
+
+sleep 5
+
+cd "$easy_rsa_base_dir"
+cp -f "$easy_vars_file" "${easy_vars_file}.tmpl"
+sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file"
+./easyrsa renew "$name_arg"
+mv -f "${easy_vars_file}.tmpl" "$easy_vars_file"
+
+echo ""
+echo "Done."
+echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt"
+echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key"
+echo ""
+
+exit 0
--- a/templates/renew-server-host-certificate.sh.j2
+++ b/templates/renew-server-host-certificate.sh.j2
@ -0,0 +1,34 @@
+#!/bin/bash
+
+host_arg=
+if [ $# -ne 1 ] ; then
+    echo "You need to pass just one argument: the full hostname for wich the certificate is required"
+    exit 1
+else
+    host_arg="$1"
+fi
+
+easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
+easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
+easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
+easy_vars_file="${easy_rsa_base_dir}/vars"
+if [ -f "${easy_vars_file}.tmpl" ] ; then
+    echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
+    exit 1
+fi
+
+echo ""
+echo "Starting the renewal of a server host certificate."
+echo ""
+
+cd "$easy_rsa_base_dir"
+./easyrsa renew "$host_arg" nopass
+
+echo ""
+echo "Done."
+echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
+echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
+echo ""
+echo "Remember that the key of the host certificates do not passphrase protected"
+
+exit 0
--- a/templates/safessl-easyrsa.cnf
+++ b/templates/safessl-easyrsa.cnf
@ -107,9 +107,12 @@ emailAddress_max		= 64
 # dynamically. This core section is left to support the odd usecase where
 # a user calls openssl directly.
 [ basic_exts ]
-basicConstraints	= CA:FALSE
+basicConstraints	= {% if easy_rsa_critical_ca_false %}critical,{% endif %}CA:FALSE
 subjectKeyIdentifier	= hash
 authorityKeyIdentifier	= keyid,issuer:always
+{% if easy_rsa_add_crl_url %}
+crlDistributionPoints = URI:{{ easy_rsa_crl_url }}
+{% endif %}

 # The Easy-RSA CA extensions
 [ easyrsa_ca ]
--- a/vars/main.yml
+++ b/vars/main.yml
@ -18,4 +18,7 @@ easy_rsa_helper_scripts:
  - 'client-host-certificate'
  - 'server-host-certificate'
  - 'personal-certificate'
+  - 'renew-client-host-certificate'
+  - 'renew-server-host-certificate'
+  - 'renew-personal-certificate'